public EventValue(string hostname, long timestamp, int nLevel, string title, string message, long id, string source)
{
Level = EventValue.levelToString(nLevel);
Timestamp = timestamp;
Title = title;
Message = message;
HostName = hostname;
Id = id;
Source = source;
}
public override bool Equals(object obj)
{
if (obj == null || obj.GetType() != this.GetType())
{
return(false);
}
EventValue that = (EventValue)obj;
return(this.Id == that.Id);
}
public EventValue(string hostname, long timestamp, int nLevel, string title, string message, long id)
{
Level = EventValue.levelToString(nLevel);
Timestamp = timestamp;
Title = title;
Message = message;
HostName = hostname;
Id = id;
PluginName = "WindowsEvent";
PluginInstanceName = "";
TypeName = "";
TypeInstanceName = "";
}
public IList<CollectableValue> Read()
{
// Only collect events and event metric every nth interval
if (_intervalCounter++ % _intervalMultiplier != 0)
return new List<CollectableValue>();
IList<CollectableValue> collectableValues = new List<CollectableValue>();
long totalEvents = 0;
long collectionTime = (long)(Util.toEpoch(DateTime.UtcNow));
List<long> recordIds = new List<long>();
foreach (EventQuery eventQuery in _events)
{
List<EventRecord> records = GetEventRecords(eventQuery.minLevel, eventQuery.maxLevel, eventQuery.log, eventQuery.source);
// Filter the events - event ID must be in target range, description must match regex and we mustn't have already read this event record ID in another query
Regex filterExp = new Regex(eventQuery.filterExp, RegexOptions.None);
List<EventRecord> filteredRecords = records.FindAll(delegate(EventRecord record)
{
return !recordIds.Contains((long)record.RecordId) && record.Id >= eventQuery.minEventId && record.Id <= eventQuery.maxEventId && filterExp.IsMatch(record.FormatDescription());
});
// Add these record IDs to dedupe list so we don't capture them again in a later query
filteredRecords.ForEach(delegate(EventRecord record) { recordIds.Add((long)record.RecordId); });
if (filteredRecords.Count <= eventQuery.maxPerCycle)
{
foreach (EventRecord record in filteredRecords)
{
// Timestamp from record is machine time, not GMT
long timestamp = (long)(Util.toEpoch(record.TimeCreated.Value.ToUniversalTime()));
long id = (long)record.RecordId;
string message = record.FormatDescription();
EventValue newevent = new EventValue(_hostName, timestamp, record.Level.Value, eventQuery.title, message, id);
collectableValues.Add(newevent);
totalEvents++;
}
}
else
{
// Too many events - summarise by counting events by application,level and code
Dictionary<string, int> detailMap = new Dictionary<string, int>();
int minLevel = 999; // used to get the most severe event in the period for the summary level
filteredRecords.ForEach(delegate(EventRecord record)
{
string key = string.Format("{0} in {1} ({2})", record.LevelDisplayName, record.ProviderName, record.Id);
if (record.Level.Value < minLevel)
minLevel = record.Level.Value;
if (detailMap.ContainsKey(key))
{
detailMap[key] = detailMap[key] + 1;
}
else
{
detailMap.Add(key, 1);
}
});
List<KeyValuePair<string, int>> detailList = new List<KeyValuePair<string, int>>();
foreach (string key in detailMap.Keys)
{
detailList.Add(new KeyValuePair<string, int>(key, detailMap[key]));
}
detailList.Sort(delegate(KeyValuePair<string, int> pair1, KeyValuePair<string, int> pair2) { return -pair1.Value.CompareTo(pair2.Value); });
string[] messageLines = new string[detailList.Count];
int ix = 0;
foreach (KeyValuePair<string, int> pair in detailList)
{
messageLines[ix++] = pair.Value + " x " + pair.Key;
}
string title = string.Format("{0} ({1} events)", eventQuery.title, filteredRecords.Count);
EventValue newevent = new EventValue(_hostName, collectionTime, minLevel, title, String.Join(", ", messageLines), 0);
collectableValues.Add(newevent);
totalEvents += filteredRecords.Count;
}
}
// Add event count metric
MetricValue eventCountMetric = new MetricValue
{
HostName = _hostName,
PluginName = "windows_events",
PluginInstanceName = "",
TypeName = "count",
TypeInstanceName = "event_count",
Values = new double[] { totalEvents },
FriendlyNames = new string[] { "Windows Event Count" },
Epoch = collectionTime
};
collectableValues.Add(eventCountMetric);
return collectableValues;
}
